Ireland’s Health Service Executive (HSE) suffered a major ransomware attack on Thursday that forced it to activate a crisis response plan, shut down all IT systems, and cancel non-essential medical appointments immediately.
Since Friday morning, the National Cyber Security Centre Ireland has been engaging with HSE, deploying its resources in identifying the affected systems, and identifying the technical details of the malware used in this incident. Like its British namesake, NCSC Ireland leads the management of major cyber security incidents across government and provides guidance and advice to citizens and businesses on major cyber security incidents.
In an advisory issued on Friday, NCSC Ireland said cyber criminals used the human-operated Conti ransomware to target the IT network of HSE on Thursday morning, forcing HSE to shut down all of its IT systems as a precaution in order to assess and limit the impact. The organisation has, however, maintained limited network connectivity to other healthcare providers as a precautionary measure.
To eradicate the ransomware, NCSC has recommended that HSE should wipe, rebuild and update all infected devices, ensure antivirus is up to date on all systems, make sure all hardware devices are patched and up to date, and use offsite backups to restore systems.
“We have been the subject of a very significant, major ransomware attack. It’s a very sophisticated attack. It is impacting all of our national and local systems that would be involved in all of our core services,” said HSE chief executive Paul Reid to RTE. “We did become aware of it during the night and have been acting on it straight away. The immediate priority is obviously to contain this.”
The Conti ransomware was used by hackers to target Advantech, the Taiwanese manufacturer of industrial automation solutions and embedded modules & systems manufacturing, in November last year. The hackers reportedly asked the company to pay 750 BTC (£10,959,463) in exchange for not publishing stolen data on the Internet and deleting files they stole from the company.
According to CloudSEK, the Conti ransomware is considered a replacement for Ryuk crypto-malware and is known for fielding advanced capabilities such as fast encryption, anti-analysis, and direct execution.
“Conti has multithreading capabilities – 32 concurrent CPU threads for encryption – which makes it faster. This ransomware abuses Windows Restart Manager functionality by closing applications that lock certain files. Conti then disables Windows services responsible for security, backup, database, email solutions, which allows it to encrypt these files. Conti also allows executing command-line arguments to directly encrypt local hard drives, data and network shares, and even specific IP addresses of the threat actors’ choice.
“Once the ransomware takes over, it deletes Windows Shadow Volume copies to prevent recovery of the files on the local system. Conti appends ‘.CONTI’ extension to the encrypted files and leaves a ransom note in each folder. To encrypt the data, the ransomware uses AES-256 encryption key for each file, which is again encrypted with a bundled RSA-4096 public encryption key that is unique for each victim,” the firm said.
While it is not known yet if the ransomware operators have demanded a ransom from HSE, the recent targeting of Colonial Pipeline has made it clear that hackers will specifically target organisations that cannot afford any operational downtime and will be forced to pay a large ransom to regain access to encrypted files and systems.
“Threat actors are criminals, money grubbers and in attacks on critical infrastructure they are committing cyber terrorism. Cybereason advises against paying ransoms, but this is a very personal decision for a company,” says Sam Curry, Chief Security Officer at Cybereason.
“In life and death situations or because of a national emergency, it could be in the best interest of the company to pay. Before you make that decision, make sure your company’s legal counsel and insurer are involved. And notify law enforcement of the situation.
“Ransomware is preventable and it requires a mature security programme on your network to stop it. Install endpoint detection and remediation software on your endpoints to stop the threat. A leading analyst firm recently published statistics showing that only 40 percent of endpoints had endpoint detection software installed on them. To overcome the scourge of ransomware this number will need to increase significantly,” he adds.
UPDATE: According to Financial Times, the hackers did make a big ransom demand to be paid in Bitcoin but Ireland has refused to pay up. “Ransom has been sought and won’t be paid in line with state policy,” a spokesperson from Ireland’s Health Service Executive told the paper.
Anurag Kahol, CTO of Bitglass, says healthcare organisations must make information security their top priority as the rapid digitisation of patient records means it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe.
“Healthcare organisations have been a major target since the start of the pandemic, and as a result need to ensure they take every precaution necessary to protect patient data. Hundreds of hospitals, medical offices, and imaging centres have contributed to over a billion exposed records; Ireland’s health service, the Health Service Executive, has become one of many,” he says.
“Strategic investments in cybersecurity will make a significant impact on protecting healthcare businesses against cyber security risks, which will potentially save billions in the long run. To prevent future ransomware attacks and safeguard highly sensitive information, organisations must have full visibility and control over their data.
“This can be accomplished by leveraging multi-faceted solutions that defend against malware on any endpoint, enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, and prevent data leakage. What’s more, healthcare organisations need to ensure adequate employee training to protect from ransomware. Employees must be able to identify phishing attempts and illegitimate emails, which is the primary vector for ransomware attacks.”